2011 PlayStation Network outage

The 2011 PlayStation Network Outage refers to the major security breach against the PlayStation Network that took place between 17 and 19 April 2011. The event has gone down as the single largest data security breach in history, with 77 million user accounts being affected.

How It Started

On April 20, 2011, it was discovered that certain functions of the PlayStation Network had gone down, which Sony had acknowledged on the PlayStation Blog. This was discovered on PlayStation 3 systems when users received an "under maintenance" message when they attempted to sign into their accounts on that platform. Sony then launched an investigation to find out what happened, only to learn that an "external intrusion" which had occurred April 17-19. The result was a massive compromise of data and personal information, including upwards of 12,000 encrypted credit card numbers outside the US, in addition to around 24.7 million other accounts being breached. It took Sony at least a week to inform their users about the data theft. Due to the breach, various features of PlayStation Network and Qriocity on PlayStation 3 and PlayStation Portable were rendered unusable for a period; this includes certain Capcom titles, though some games could still be played offline.

Criticism of Sony

Sony Computer Entertainment themselves were criticized heavily for how they handled the ordeal; the biggest criticism they received was for not warning their users of the possibility that their personal information had been stolen sooner than April 26th. As previously mentioned, it took Sony a week to warn their users. Many were concerned that if the situation was that severe to where they had to shut down the network, why didn't Sony warn everybody sooner than April 26th? The British Information Commissioner's Office was highly critical of Sony's security measures and issued the following statement:

"If you are responsible for so many payment card details and log-in details then keeping that personal data secure has to be your priority. In this case that just didn't happen, and when the database was targeted – albeit in a determined criminal attack – the security measures in place were simply not good enough. There's no disguising that this is a business that should have known better. It is a company that trades on its technical expertise, and there's no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe."^[1]

Because of the poor security in place at the time of the attack, and the failure to comply with British security laws, Sony was fined £250,000 (= $395,000).

The Network Outage

The Sony Online Entertainment Network was comprised again on May 2nd of the same year. This attack resulted in another 24.6 million SOE accounts with a further 12,700 credit card numbers, most of which were expired or inactive. This attack resulted in the SOE server being temporarily shut down. Security experts Eugene Lapidous of AnchorFree, Chester Wisniewski of Sophos Canada, and Avner Levin of Ryerson University criticized Sony, questioning its methods of securing user data. Lapidous called the breach "difficult to excuse" and Wisniewski called it "an act of hubris or simply gross incompetence".

Reactions

Sony had been threatened with legal action over the incident. US Senator Richard Blumenthal of Connecticut demanded answers from Sony about the data breach by emailing SCEA CEO Jack Tretton arguing about the delay in informing its customers and insisting that Sony do more for its customers than just offer free credit reporting services. Blumenthal later called for an investigation by the US Department of Justice to find the person or persons responsible and to determine if Sony was liable for the way that it handled the situation.

A Canadian lawsuit against Sony USA, Sony Canada, and Sony Japan claimed damages up to C$1 billion including free credit monitoring and identity theft insurance. The plaintiff was quoted as saying, "If you can't trust a huge multi-national corporation like Sony to protect your private information, who can you trust? It appears to me that Sony focuses more on protecting its games than its PlayStation users".

On May 23, Sony announced that the outage had cost them $171 million in damages.

The Aftermath

The whole situation lasted 23 days after the initial attack. As compensation for the outage, Sony introduced the "Welcome Back" program, in which Sony offered not only free games for both PlayStation 3 and PlayStation Portable, but also 30 days free PlayStation Plus membership, with existing members receiving an additional 30 days on top, and a year of identity theft protection to all users. Hulu also offered Plus members a week of free service to PS3 users who were unable to use the service during the outage. The outage also forced Sony to update their terms of service and security policies thanks in part to the class action suits they were faced with.

The security breach has harmed Sony Computer Entertainment's reputation due to how poorly this situation was handled. Many people had lost trust in Sony after the incident, and the effects lingered for the remainder of the seventh generation of gaming. They did manage to repair the damage done by the outage with the release of the PlayStation 4, which helped to restore their reputation by focusing more on the consumers' needs while receiving only minor criticism regarding some of their decision-making.

Unfortunately, while security has somewhat improved since 2011, the PlayStation Network is still prone to being hacked, as it was hacked again in 2014, along with Xbox Live (though, fortunately, the damage was almost nothing when compared to this outage)

Videos

References

Comments